M&A activity remains at all-time highs, with PE firms continuing to leverage their dry powder to pick up firms across the globe. Firms are, however, becoming ever more digital, and as a consequence due diligence has started to focus more and more on identifying cyber security risks related to targets – as poor cyber defences have become a major concern for acquirers. A new report finds that compliance problems are one of the major drivers for the need for a thorough due diligence process, with only 40% very satisfied that their team are thorough and expert enough to uncover potential problems.
Costs related to cyber security are rising rapidly. As more and more companies invest in digital transformations, and as more and more of companies’ operations are digitalised, the number of vectors from which digital adversaries can mount attacks is on the rise. Adversaries are also becoming more sophisticated, sometimes innovating faster than the defences of companies can be erected and upheld – the human factor too remains an ever present risk, with social engineering remaining a prominent issue.
Recent analysis of the costs finds that the average cost for a data breach to a large company stood at $3.8 million in 2015, up 7.6% on the year previous. The number of daily attacks, many of which are thwarted, comes in at around 500,000, while the total global costs have been estimated by McAfee at up to $400 billion per year. Avoiding breaches, therefore, has become an ever more pressing issue for companies.
While integrated contractors and partners form two risk vectors for companies that have their own ship in order, the addition of a recently acquired company to the firm’s network, or, in the case of PE, to the PE firm’s liability, is another area of possible concern. In a new report from West Monroe, titled ‘Testing the Defences: Cyber Security and M&A’, the consultancy firm considers the changing behaviour surrounding cyber security considerations have in the due diligence process for deals.
The research is based on a survey of 30 senior executives at corporates and private equity firms with a large number of M&A projects. Two-thirds of respondents are from large cap companies, while 90% have a security policy/framework in place. The majority of companies (60%) leverages in-house expertise, while 40% hires in expertise from external advisors and experts.
The survey finds that cyber security has grown in importance over the past two years, 77% saying that its importance has grown significantly, while 23% say that it has increased somewhat. As it stands, 80% of respondents say that due diligence for a deal related to possible cyber security is highly important, with 20% saying it is somewhat important.
West Monroe Managing Director Matt Sondag says, “Acquirers have become much better-informed of late about the risks of inadequate cybersecurity. When a data breach lands on the front page of CNN.com or The Wall Street Journal, companies start to pay closer attention to the issue. In the last 18 to 24 months, we have really started to see the importance of cybersecurity resonate with our clients.”
The researchers also sought to identify what respondents believed to be the top two concerns regarding cyber security at their respective firms. Of all concerns signified by the research, the ‘cost of correcting existing problems’ was cited as the most often sought after concern by respondents, at 50%. This is followed by the ‘potential complications for post-merger integration’, cited by 43% of respondents. 37% respondents also said that, among their top two concerns, are attempted to find out how often the target has already been compromised by assailants, as cited by 37% of respondents. 37% cited 'threats to customer data' as a concern, while 33% cited 'threats to business data'.
The respondents were also asked about the most common and important types of cybersecurity issues discovered at the targets, as well as their relative importance. The top most uncovered issues are 'compliance problems', which, given the increased surveillance of regulators following large scale events in recent years, can result in hefty fines and penalties – the due diligence process takes the issue seriously, with 30% citing it as their top priority. The 'lack of a comprehensive data security architecture' was the second most commonly identified issue, cited by 40% of respondents, followed by 'vulnerability from insider threats' – they are cited as the most typical issue by 13% and 10% of respondents respectively. Two challenges cited as important regarding the deal process are companies that 'lack a data security team', cited as the most important by 17% of respondents and 'weak encryption/security of vendors', as mentioned by 13%.
The research also asks respondents about the satisfaction of the due diligence process surrounding recent deals. Respondents are generally satisfied, with 40% saying that they are highly satisfied and 57% somewhat satisfied. When asked to identify up to two areas of dissatisfaction, the largest dissatisfaction found is not enough time devoted to the process, at 39%, followed by not enough qualified people being involved in the process, at 32%.
The target itself is found to be an issue in 29% of the cases, in so far as there was a lack of cooperation or knowledge on their part. A lack of thoroughness, through which post deal problems arose, was cited by 29%, while inadequate preparation of the part on the acquirer was cited as an issue by 25% of respondents.
The threat of post-deal problems, as well as a lack of cooperation in some instances, has prompted acquirers to implement special protections to mitigate possible risks related to cybersecurity in dealmaking. When asked what two processes are most often implemented to offset downsides, the top ranked process is 'representations & warranty insurance', as cited by 63% of respondents, followed by 'specific closing conditions', highlighted by 53% of respondents. 'Purchase price adjustments', to factor in costs related to shoring up defences, are cited by 43% of respondents, while 'special indemnities and holdbacks' are cited by 27% and 13% respectively.
According to the report’s authors, “The reality of the modern business environment is that every sector has become vulnerable to cybersecurity problems. Virtually all acquirers must implement a rigorous diligence process when considering M&A targets. The nature of cyber threats is also changing constantly, requiring a nimble approach to due diligence. As security concerns evolve, make sure that your diligence procedures evolve with them.”